CVE-2026-7381: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in MIYAGAWA Plack::Middleware::XSendfile
CVE-2026-7381 is a vulnerability in Plack::Middleware::XSendfile for Perl that allows client-controlled path rewriting via the X-Sendfile-Type header. A malicious client can exploit this by setting the header to "X-Accel-Redirect" and manipulating the X-Accel-Mapping to access arbitrary files on the server. The middleware has some mitigations restricting regular expressions in mappings and only applies them for the "X-Accel-Redirect" type. This module is deprecated since version 1. 0053 and will be removed in future Plack releases. No official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
Plack::Middleware::XSendfile versions through 1.0053 allow an attacker to control the sendfile type via the X-Sendfile-Type HTTP header. Specifically, if the middleware constructor or Plack environment does not restrict this, an attacker can set the header to "X-Accel-Redirect" to target services behind nginx reverse proxies. By also setting the X-Accel-Mapping header, the attacker can cause the server to serve arbitrary files, leading to exposure of sensitive information. Although some mitigations exist to disallow regular expressions in mappings and limit the mapping application to the "X-Accel-Redirect" type, the vulnerability remains exploitable. The middleware is deprecated and slated for removal in future releases.
Potential Impact
The vulnerability enables unauthorized actors to read arbitrary files on the server by manipulating HTTP headers, potentially exposing sensitive information. This exposure could lead to information disclosure that might aid further attacks or compromise confidentiality. There is no indication of remote code execution or denial of service from the provided data.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Since Plack::Middleware::XSendfile is deprecated as of version 1.0053 and planned for removal, users should consider migrating away from this middleware to alternative solutions. Until then, users should ensure that the middleware constructor or Plack environment explicitly restricts or sanitizes the X-Sendfile-Type header to prevent client-controlled path rewriting. Monitor vendor advisories for updates or official fixes.
CVE-2026-7381: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in MIYAGAWA Plack::Middleware::XSendfile
Description
CVE-2026-7381 is a vulnerability in Plack::Middleware::XSendfile for Perl that allows client-controlled path rewriting via the X-Sendfile-Type header. A malicious client can exploit this by setting the header to "X-Accel-Redirect" and manipulating the X-Accel-Mapping to access arbitrary files on the server. The middleware has some mitigations restricting regular expressions in mappings and only applies them for the "X-Accel-Redirect" type. This module is deprecated since version 1. 0053 and will be removed in future Plack releases. No official patch or remediation guidance is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Plack::Middleware::XSendfile versions through 1.0053 allow an attacker to control the sendfile type via the X-Sendfile-Type HTTP header. Specifically, if the middleware constructor or Plack environment does not restrict this, an attacker can set the header to "X-Accel-Redirect" to target services behind nginx reverse proxies. By also setting the X-Accel-Mapping header, the attacker can cause the server to serve arbitrary files, leading to exposure of sensitive information. Although some mitigations exist to disallow regular expressions in mappings and limit the mapping application to the "X-Accel-Redirect" type, the vulnerability remains exploitable. The middleware is deprecated and slated for removal in future releases.
Potential Impact
The vulnerability enables unauthorized actors to read arbitrary files on the server by manipulating HTTP headers, potentially exposing sensitive information. This exposure could lead to information disclosure that might aid further attacks or compromise confidentiality. There is no indication of remote code execution or denial of service from the provided data.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Since Plack::Middleware::XSendfile is deprecated as of version 1.0053 and planned for removal, users should consider migrating away from this middleware to alternative solutions. Until then, users should ensure that the middleware constructor or Plack environment explicitly restricts or sanitizes the X-Sendfile-Type header to prevent client-controlled path rewriting. Monitor vendor advisories for updates or official fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-04-29T07:43:55.519Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f287e7cbff5d8610509db2
Added to database: 4/29/2026, 10:36:23 PM
Last enriched: 4/29/2026, 10:51:36 PM
Last updated: 4/29/2026, 11:37:16 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.